A blog post has been put up to address this: https://keepassxc.org/blog/2023-06-20-cve-202335866/

Additionally, this is certainly not unique to KeePassXC. KeePass original and other clones we have tested do not require entering your credentials again prior to export or credential change.

I am a happy keepassxc user but I have criticized the authors on multiple occasions for not investing in a clear documentation of an attacker model. It seems to me a lot of bogus security is added here and there and this non-CVE is the result, because people demand more of that.

Hi there, lead developer of KeePassXC here (and writer of a lot of code). The TOTP and SSH Agent are generally not a security issue. TOTP has no external interfaces and SSH Agent only writes to the known interface standards of those programs. There is actually not much to those code areas.

Auto-Type is similarly rather simple at the interface level (except for X11 because its X11). We call native OS functions to emulate typing.

Similarly the internal reporting features are rather benign. HIBP checks requires explicit approval by the user before anything happens.

The browser code and FDO Secrets code definitely needs auditing. The browser extension is separate from the browser code within KeePassXC proper.

KeeShare is going to be entirely rewritten for our 2.8.0 release.

If there isn't much code to review, then it makes no sense to exclude them from the audit.

Thanks for all the good work you do!

corrected thank you! I also added links to the 32-bit variants.

KeePass is the original, and also not very cross-platform. KeePassX has gone through several iterations and now represents a fairly stable and low-feature release of KeePass with cross-platform support. KeePassXC is where all the new and exciting features are being integrated into KeePassX while fixing latent bugs and cross-platform issues. Hope that makes sense.

Is there any thought to merging efforts with the original KeePass project? I know it's C# based but with .NET Core being an option now, maybe it doesn't require Mono and could be made cross-platform. Or maybe keep the C++ code and fold it back into the original project?

I just hate to have multiple projects spend resources on what is essentially the same thing. I think there are gains to be had by combining resources together.

The larger problem on cross-platform KeePass was never Mono directly (aside from the FUD), but rather the WinForms UI. One could blame Mono for not having a visually pleasing implementation of WinForms, although .NET core has nothing at all.

Refactoring out a core and building multiple UIs would be an interesting and large project.

It doesn't necessarily have to be multiple UIs (although that's probably better in the long term) but there are x-platform options like:

1) Eto.Forms (https://github.com/picoe/Eto) 2) Avalonia (https://github.com/AvaloniaUI/Avalonia)

Wow thank you for the kind words! Appreciate the support.

You're welcome, it's a very decent effort. And now I'm sort of shamed into actually contributing. Reporting back as soon as time allows.

Yep we are now switching to advising its use for the human rights defenders and journalists that we work with.